Summary
The remote host is missing an update to dspam
announced via advisory DSA 1501-1.
Solution
https://secure1.securityspace.com/smysecure/catid.html?in=DSA%201501-1
Insight
Tobias Gruetzmacher discovered that a Debian-provided CRON script in dspam, a statistical spam filter, included a database password on the command line when using the MySQL backend. This allowed a local attacker to read the contents of the dspam database, such as emails.
For the stable distribution (etch), this problem has been fixed in version 3.6.8-5etch1. Packages for the mipsel architecture will be added as soon as they become available.
The old stable distribution (sarge) does not contain the dspam package.
For the unstable distribution (sid), this problem has been fixed in version 3.6.8-5.1.
We recommend that you upgrade your dspam package.
Severity
Classification
-
CVE CVE-2007-6418 -
CVSS Base Score: 2.1
AV:L/AC:L/Au:N/C:P/I:N/A:N
Related Vulnerabilities
- Debian Security Advisory DSA 2649-1 (lighttpd - fixed socket name in world-writable directory)
- Debian Security Advisory DSA 1012-1 (unzip)
- Debian Security Advisory DSA 1035-1 (fcheck)
- Debian Security Advisory DSA 2590-1 (wireshark - several vulnerabilities)
- Debian Security Advisory DSA 140-1 (libpng2, libpng3)